Treekill Enables OS Command Injection
A Code Injection exists in treekill and tree-kill on Windows which allows a remote code execution when an attacker is able to control the input into the command.
Advisories for Npm/Tree-Kill package
2022
2020
Command Injection in tree-kill
Versions of tree-kill prior to 1.2.2 are vulnerable to Command Injection. The package fails to sanitize values passed to the kill function. If this value is user-controlled it may allow attackers to run arbitrary commands in the server. The issue only affects Windows systems. Recommendation Upgrade to version 1.2.2 or later.
2019
Code Injection
A Code Injection exists in tree-kill on Windows which allows a remote code execution when an attacker is able to control the input into the command.